suricata
detect-ttl.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements the ttl keyword including prefilter support.
25  */
26 
27 #include "suricata-common.h"
28 #include "stream-tcp.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 #include "detect-engine-uint.h"
34 
35 #include "detect-ttl.h"
36 #include "util-debug.h"
37 #include "util-byte.h"
38 
39 /* prototypes */
40 static int DetectTtlMatch (DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectTtlSetup (DetectEngineCtx *, Signature *, const char *);
43 void DetectTtlFree (DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 void DetectTtlRegisterTests (void);
46 #endif
47 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
48 static bool PrefilterTtlIsPrefilterable(const Signature *s);
49 
50 /**
51  * \brief Registration function for ttl: keyword
52  */
53 
55 {
57  sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
58  sigmatch_table[DETECT_TTL].url = "/rules/header-keywords.html#ttl";
59  sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
60  sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
62 #ifdef UNITTESTS
64 #endif
65  sigmatch_table[DETECT_TTL].SupportsPrefilter = PrefilterTtlIsPrefilterable;
66  sigmatch_table[DETECT_TTL].SetupPrefilter = PrefilterSetupTtl;
68 }
69 
70 /**
71  * \brief This function is used to match TTL rule option on a packet with
72  * those passed via ttl
73  *
74  * \param t pointer to thread vars
75  * \param det_ctx pointer to the pattern matcher thread
76  * \param p pointer to the current packet
77  * \param m pointer to the sigmatch that we will cast into DetectU8Data
78  *
79  * \retval 0 no match
80  * \retval 1 match
81  */
82 static int DetectTtlMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
83  const Signature *s, const SigMatchCtx *ctx)
84 {
86 
87  uint8_t pttl;
88  if (PacketIsIPv4(p)) {
89  const IPV4Hdr *ip4h = PacketGetIPv4(p);
90  pttl = IPV4_GET_RAW_IPTTL(ip4h);
91  } else if (PacketIsIPv6(p)) {
92  const IPV6Hdr *ip6h = PacketGetIPv6(p);
93  pttl = IPV6_GET_RAW_HLIM(ip6h);
94  } else {
95  SCLogDebug("Packet is not IPv4 or IPv6");
96  return 0;
97  }
98 
99  const DetectU8Data *ttld = (const DetectU8Data *)ctx;
100  return DetectU8Match(pttl, ttld);
101 }
102 
103 /**
104  * \brief this function is used to attld the parsed ttl data into the current signature
105  *
106  * \param de_ctx pointer to the Detection Engine Context
107  * \param s pointer to the Current Signature
108  * \param ttlstr pointer to the user provided ttl options
109  *
110  * \retval 0 on Success
111  * \retval -1 on Failure
112  */
113 static int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, const char *ttlstr)
114 {
115  DetectU8Data *ttld = DetectU8Parse(ttlstr);
116  if (ttld == NULL)
117  return -1;
118 
120  de_ctx, s, DETECT_TTL, (SigMatchCtx *)ttld, DETECT_SM_LIST_MATCH) == NULL) {
121  DetectTtlFree(de_ctx, ttld);
122  return -1;
123  }
125  return 0;
126 }
127 
128 /**
129  * \brief this function will free memory associated with DetectU8Data
130  *
131  * \param ptr pointer to DetectU8Data
132  */
134 {
135  SCDetectU8Free(ptr);
136 }
137 
138 /* prefilter code */
139 
140 static void
141 PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
142 {
144 
145  uint8_t pttl;
146  if (PacketIsIPv4(p)) {
147  const IPV4Hdr *ip4h = PacketGetIPv4(p);
148  pttl = IPV4_GET_RAW_IPTTL(ip4h);
149  } else if (PacketIsIPv6(p)) {
150  const IPV6Hdr *ip6h = PacketGetIPv6(p);
151  pttl = IPV6_GET_RAW_HLIM(ip6h);
152  } else {
153  SCLogDebug("Packet is not IPv4 or IPv6");
154  return;
155  }
156 
157  const PrefilterPacketHeaderCtx *ctx = pectx;
158  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
159  return;
160 
161  DetectU8Data du8;
162  du8.mode = ctx->v1.u8[0];
163  du8.arg1 = ctx->v1.u8[1];
164  du8.arg2 = ctx->v1.u8[2];
165  if (DetectU8Match(pttl, &du8)) {
166  SCLogDebug("packet matches ttl/hl %u", pttl);
167  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
168  }
169 }
170 
171 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
172 {
174  PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketTtlMatch);
175 }
176 
177 static bool PrefilterTtlIsPrefilterable(const Signature *s)
178 {
179  const SigMatch *sm;
180  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
181  switch (sm->type) {
182  case DETECT_TTL:
183  return true;
184  }
185  }
186  return false;
187 }
188 
189 #ifdef UNITTESTS
190 #include "tests/detect-ttl.c"
191 #endif
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1460
DETECT_TTL
@ DETECT_TTL
Definition: detect-engine-register.h:45
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:316
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
SigTableElmt_::name
const char * name
Definition: detect.h:1457
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1323
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1627
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1448
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1347
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1442
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:85
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
PrefilterPacketU8Set
void PrefilterPacketU8Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:90
Signature_::flags
uint32_t flags
Definition: detect.h:669
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:501
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:102
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:470
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
detect-ttl.c
detect-ttl.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
IPV4Hdr_
Definition: decode-ipv4.h:72
DetectTtlRegisterTests
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition: detect-ttl.c:212
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1441
DetectTtlFree
void DetectTtlFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
Definition: detect-ttl.c:133
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
SIGMATCH_INFO_UINT8
#define SIGMATCH_INFO_UINT8
Definition: detect.h:1686
PrefilterPacketU8Compare
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:98
detect-engine-prefilter-common.h
DetectTtlRegister
void DetectTtlRegister(void)
Registration function for ttl: keyword.
Definition: detect-ttl.c:54
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:254